When you purchase a new computer the manufacturers are usually kind enough to install everything starting with the operating system. This is usually a somewhat limited version of the currently shipping version of windows. Inevitably the computer also includes a small pile of software and utilities. This ranges from trial versions of office, limited time anti-virus software, tool bars, or other vendor specific utilities.
The software is installed to both give a greater perceived value to the computer being sold and to actually get money from other companies for putting their software on your computer. The idea is that you will love the trial software so much that you want the paid or professional version.
There is actually only three real options for going forward once purchasing your new computer.
The first is to simply live with the undesired cruft on your new computer. The computer is so new that it does start up pretty quickly.
The next choice is to try and remove the trial and other undesired software. This is usually easier said than done. A lot of programs do indeed provide an uninstall program when they are installed but not all of these actually uninstall the software. It might be necessary to purchase or find another program which will remove this software. I don’t use any of these programs myself as I take the next option – install the operating system from scratch.
I used to think that this was the absolute best and safest thing that you could do – no junk no trials, no root kits. Nothing could be safer, well, until I read about a extra special hook provided by Microsoft Windows.
With great power comes great responsibility
The extra special hook or a feature is the Windows Platform Binary Table (WPBT). This feature allows PC manufacturers to inject drivers or programs into a windows installation from the motherboard firmware.
This basically means that upon restart of the computer when the BIOS is still in control, before the operating system is started, it can then copy a file or files into your installation.
This is a hugely powerful ability. It can be used for either good or for evil. The good would be to ensure that anti-theft tools stay in place even if the operating system is re-installed. Anti-theft software certainly wouldn’t be any good if they could be worked around so easily. This functionality could also be used to ensure that drivers are available for special or unique hardware.
The malicious usage of this technology might be similar to what has already been discovered in August with some Lenovo computers. This small “faux pas” by Lenovo is no longer being done. More important than this single incident is that this vector is still a possibility for attack. Not from the script kiddies or virus writers but from the people who sell us the hardware.
This attack vector is even more troubling with the advent of secure boot that is now required by windows. With secure boot it is now possible to have our devices locked down. So locked down that you cannot compile, install and run your own operating system, but that is a subject of a different article.
Unlike “firmware” on other much smaller devices, the firmware on our computers is actually the small UEFI operating system that is installed on its own 200 mb partition. This is probably tiny compared to most smart telephones but gigantic when compared to the 1.2 mb floppy disks or 10 mb hard disks of the first IBM PC computers.
It was previously possible to have a bootable floppy diskette with the operating system and virtually the entire 1.2 mb used. Just a few kilobytes to run the, non graphical, operating system. It would be possible to do a considerable amount with hundreds of megabytes of program space.
This is the first time this type of thing has happened – right?
Well, not exactly. There have been some other heavy handed activities by manufacturers in the past. This is actually not the first time that some sort of ham handed attempt of securing a consumer device has occurred.
theregister.co.uk Superfish spyware
theverge.com disable windowsupdate.exe
schneier.com Sony drm rootkit
pcworld.com computers preinstalled with malware
How can I check my computer?
When windows is reading binary data from the UEFI operating system, the copied file will be saved into wpbbin.exe in the \windows\system32 directory on bootup. You can look into this directory to see if such a file does exist.
Depending on what the actual executable does, it may not necessarily keep this name. It is also possible to use tools to see what is setup in the WPBT.
This indeed may be a very dangerous tool in the hands over the well meaning but fat fingered typists. Use with extreme care or in read only mode.
How can I protect myself?
There are a number of different possibilities
- get a pc from a vendor you really trust
- use an alternative operating system such as Linux or BSD
- build your own computer
- get a pc from apple
More about UEFI